Hmm, i don't think that's the solution. I think that the ASA must send a message to the ACS server about the VPN profile group the user is connecting to. And there have to be a match in ACS database.. Am i right ?